Another ASP.NET custom membership/role provider

Question

ASP.NET 4.5 / C# / SQL 2012

I already have a well defined database with a users table and a roles/permissions column. The column contains a delimited list of roles. I was hoping to use ASP.NET's built in features on the back-end so I can be lazy and use things like the and filter by role. I'd like to read my roles from the database and tell ASP these are the roles my user is in. Custom...but hopefully simple. Here is what I have so far:

        //create an identity
        GenericIdentity objIdentity = new GenericIdentity("Matt"); //this would actually be the username/email of the newly authenticated user

        //get roles for user
        string[] strRoles = { "ADW", "USR" }; //this will get read from the database on authentication

        //add identity and roles to a principal
        GenericPrincipal objPrincipal = new GenericPrincipal(objIdentity, strRoles);           

        //add to current user
        HttpContext.Current.User = objPrincipal;

        //add the principal to the current context of the current thread
        Thread.CurrentPrincipal = objPrincipal; //not sure what this does, doesn't affect my results/tests

If I execute the code above and then run the following:

Response.Write(User.IsInRole("ADW"));
Response.Write(User.IsInRole("xxx"));

I get a True/False as expected. However, this doesn't persist to the next page. I did a fair amount of reading on custom membership/role providers, but I can't find this specific use case. Most talk about setting up a DB specifically for this task. I also saw mention of the newer Simple Membership, but couldn't get any love from that end either. I'm hoping there is a solution that involves what I'm already doing. I'd love to execute this code when the user authenticates, but be able to reference this user in other pages. I could always call to the database for every page. I'm assuming that would suck, and that's not what the built in provider does.

Thanks all.

Answer 1

You are approaching it from the wrong side. You don't have to create identity and principal manually, assuming you are not creating a custom authentication module.

In any other case, you only choose the persistence mechanism and the corresponding authentication module sets the identity/principal according to the persistence.

A commonly used persistence mechanism is Forms Authentication, where you issue forms cookies. The forms authentication module makes sure the identity/principal is set early in the pipeline and takes the cookie as the source of information.

If you want to replace the cookie by your custom cookie (in other words - replace forms authentication with your own) - you have to think of a way to persist the security info, to the cookie for example.

Note, however, that this is probably not necessary. The very same forms authentication can be used with any custom membership and role providers. This is because these two have different responsibilities - membersip provider is for actual authentication whereas forms authentication module is for persisting the information for consecutive requests.

Edit: to add a role for a user so that it is persisted in the user database:

 Roles.AddUsersToRoles( ... );

But first, you'd have to create users in the user database:

 Membership.CreateUser( ... );

Note that Roles and Membership are facades for actual role and membership providers. While default providers use the membership database, you can easily create custom providers that persist the information anywhere at the server side.